7 The sip:provider CE Handbook / 84 1 Introduction 1.1 About this Document This document describes the architecture and the operational steps to install, operate and modify the Sipwise sip:provider CE. The first chapter gives an introduction into the sip:provider CE. It describes what it is, what it contains and who should use it. The second chapter guides through the installation and upgrade process of the sip:provider CE. It lines out the prerequisites and the steps required to install it from scratch or upgrade it from an older version. The third chapter provides an architectural overview of what software components are used within the sip:provider CE. It goes into each of the main components and outlines how the signaling and media paths are routed through the system. It also provides charts of basic call flows to give you an idea how the system internally works. The fourth chapter describes the steps to configure the sip:provider CE in order to offer VoIP services to end users. The fifth chapter goes deeper into advanced subscriber features and explains how to use them. The sixth chapter shows the different customer self-care interfaces and describes how to configure them. The seventh chapter describes the billing interface, so you can rate calls and export call detail records. The eighth chapter describes in detail the steps necessary if you want to start modifying local configuration files to adapt and extend the system. The ninth chapter guides through the provisioning interface (SOAP and XMLRPC) system, so you can integrate it into your own or third-party provisioning and billing systems. The tenth chapter outlines additional tasks to protect the sip:provider CE from security exploits and attacks, as well as describes the steps to perform regular backups and restore from them when necessary. 1.2 Getting Help Community Support We have set up the spce-user mailing list, where questions are answered on a best-effort basis and discussions can be started with other community users Commercial Support If you need professional help setting up and maintaining the sip:provider CE, send an to Sipwise also provides training and commercial support for the platform. Additionally, we offer a migration path to the sip:provider PRO appliance, which is the commercial, carrier-grade version of the sip:provider CE. If the user base grows on the CE, this will allow operators to migrate seamlessly to a highly available and scalable platform with defined service level agreements, phone support and on-call duty. Please visit for more information on commercial offerings. 1

8 The sip:provider CE Handbook / What is the sip:provider CE? The sip:provider CE is a SIP based Open Source Class5 VoIP soft-switch platform providing rich telephony services. It offers a wide range of features to end users (call forwards, voic , conferencing, call blocking, click-to-dial, call-lists showing nearrealtime accounting information etc.), which can be configured by them using the customer-self-care web interface. For operators, it offers a fully web-based administrative panel, allowing them to configure users, peerings, billing profiles etc., as well as viewing real-time statistics of the system. For tight integration into existing infrastructures, it provides SOAP and XMLRPC APIs. The sip:provider CE can be installed in a few steps within a couple of minutes and requires no knowledge about configuration files of specific software components. 1.4 What is inside the sip:provider CE? Opposed to other free VoIP software, the sip:provider CE is not a single application, but a whole software platform, the Sipwise NGCP (Sipwise Next Generation Communication Platform), which is based on Debian GNU/Linux. Using a highly modular design approach, the NGCP leverages popular open-source software like MySQL, Apache, Catalyst, Kamailio, SEMS, Asterisk etc. as its core building blocks. These blocks are glued together using optimized and proven configurations and work-flows and are complemented by building blocks developed by Sipwise to provide fully-featured and easy to operate VoIP services. After downloading and starting the installer, it will fetch and install all the required Debian packages from the relevant Debian repositories. The installed applications are managed by the NGCP Configuration Framework, which allows to change system parameters in a single place, so administrators don t need to have any knowledge of the dozens of different configuration files of the different packages. This provides a very easy and bullet-proof way of operating, changing and tweaking the otherwise quite complex system. Once configured, integrated web interfaces are provided for both end users and administrators to use the sip:provider CE. By using the provided provisioning and billing APIs, it can be integrated tightly into existing OSS/BSS infrastructures to optimize work-flows. 1.5 Who should use the sip:provider CE? The sip:provider CE is specifically tailored to companies and engineers trying to start or experiment with a fully-featured SIP based VoIP service without having to go through the steep learning curve of SIP signalling, integrating the different building blocks to make them work together in a reasonable way and implementing the missing components to build a business on top of that. In the past, creating a business-ready VoIP service included installation and configuration of SIP software like Asterisk, OpenSER, Kamailio etc., which can get quite difficult when it comes to implementing advanced features. It required to implement different web interfaces, billing engines and connectors to existing OSS/BSS infrastructure. These things are now obsolete due to the CE, which covers all these requirements. 2

9 The sip:provider CE Handbook / 84 2 Platform Architecture The sip:provider CE platform is one single node running all necessary components of the system. The components are outlined in the following figure: Figure 1: Architecture Overview The main building blocks of the sip:provider CE are: SIP Signaling and Media Relay Provisioning Mediation and Billing 2.1 SIP Signaling and Media Relay In SIP-based communication networks, it is important to understand that the signaling path (e.g. for call setup and tear-down) is completely independent of the media path. On the signaling path, the involved endpoints negotiate the call routing (which user 3

10 The sip:provider CE Handbook / 84 calls which endpoint, and via which path - e.g. using SIP peerings or going through the PSTN - the call is established) as well as the media attributes (via which IPs/ports are media streams sent and which capabilities do these streams have - e.g. video using H.261 or Fax using T.38 or plain voice using G.711). Once the negotiation on signaling level is done, the endpoints start to send their media streams via the negotiated paths SIP and Media Elements The components involved in SIP and Media on the sip:provider CE are shown in the following figure: Figure 2: SIP and Media Relay Components SIP Load-Balancer The SIP load-balancer is a Kamailio instance acting as ingress and egress point for all SIP traffic to and from the system. It s a high-performance SIP proxy instance based on Kamailio and is responsible for sanity checks of inbound SIP traffic. It filters broken SIP messages, rejects loops and relay attempts and detects denial-of-service and brute-force attacks and gracefully handles them to protect the underlying SIP elements. It also performs the conversion of TLS to internal UDP and vice versa for secure signaling between endpoints and the sip:provider CE, and does far-end NAT traversal in order to enable signaling through NAT devices. The load-balancer is the only SIP element in the system which exposes a SIP interface to the public network. Its second leg binds in the switch-internal network to pass traffic from the public internet to the corresponding internal components. The name load-balancer comes from the fact that in the commercial version, when scaling out the system beyond just one pair of servers, the load-balancer instance becomes its own physical node and then handles multiple pairs of proxies behind it. On the public interface, the load-balancer listens on port 5060 for UDP and TCP, as well as on 5061 for TLS connections. On the internal interface, it speaks SIP via UDP on port 5060 to the other system components, and listens for XMLRPC connections on TCP port 5060, which is used by the OSSBSS system to control the daemon. Its config files reside in /etc/ngcp-config/templates/etc/kamailio/lb/, and changes to these files are applied by executing ngcpcfg apply. 4

11 The sip:provider CE Handbook / 84 Tip The SIP load-balancer can be managed via the commands /etc/init.d/kamailio-lb start, /etc/init.d/ kamailio-lb stop and /etc/init.d/kamailio-lb restart. Its status can be queried by executing /etc/ init.d/kamailio-lb status. Also ngcp-kamctl lb and ngcp-sercmd lb are provided for querying kamailio functions, for example: ngcp-sercmd lb htable.dump ipban. SIP Proxy/Registrar The SIP proxy/registrar (or short proxy) is the work-horse of the sip:provider CE. It s also a separate Kamailio instance running in the switch-internal network and is connected to the provisioning database via MySQL, authenticates the endpoints, handles their registrations on the system and does the call routing based on the provisioning data. For each call, the proxy looks up the provisioned features of both the calling and the called party (either subscriber or domain features if it s a local caller and/or callee, or peering features if it s from/to an external endpoint) and acts accordingly, e.g. by checking if the call is blocked, by placing call-forwards if applicable and by normalizing numbers into the appropriate format, depending on the source and destination of a call. It also writes start- and stop-records for each call, which are then transformed into call detail records (CDR) by the mediation system. If the endpoints indicate negotiation of one or more media streams, the proxy also interacts with the Media Relay to open, change and close port pairs for relaying media streams over the sip:provider CE, which is especially important to traverse NAT. The proxy listens on UDP port 5062 in the system-internal network. It cannot be reached directly from the outside, but only via the SIP load-balancer. Its config files reside in /etc/ngcp-config/templates/etc/kamailio/proxy/, and changes to these files are applied by executing ngcpcfg apply. Tip The SIP proxy can be controlled via the commands /etc/init.d/kamailio-proxy start, /etc/init.d/kam ailio-proxy stop and /etc/init.d/kamailio-proxy restart. Its status can be queried by executing / etc/init.d/kamailio-proxy status. Also ngcp-kamctl proxy and ngcp-sercmd proxy are provided for querying kamailio functions, for example: ngcp-kamctl proxy ul show. SIP Back-to-Back User-Agent (B2BUA) The SIP B2BUA (also called SBC within the system) decouples the first call-leg (calling party to sip:provider CE) from the second call-leg (sip:provider CE to the called party). The software part used for this element is SEMS. This element is typically optional in SIP systems, but it is always used for SIP calls (INVITE) that don t have the sip:provider CE as endpoint. It acts as application server for various scenarios (e.g. for feature provisioning via Vertical Service Codes and as Conferencing Server) and performs the B2BUA decoupling, topology hiding, caller information hiding, SIP header and Media 5

12 The sip:provider CE Handbook / 84 feature filtering, outbound registration, outbound authentication and call length limitation as well as Session Keep-Alive handler. Due to the fact that typical SIP proxies (like the load-balancer and proxy in the sip:provider CE) do only interfere with the content of SIP messages where it s necessary for the SIP routing, but otherwise leave the message intact as received from the endpoints, whereas the B2BUA creates a new call leg with a new SIP message from scratch towards the called party, SIP message sizes are reduced significantly by the B2BUA. This helps to bring the message size under 1500 bytes (which is a typical default value for the MTU size) when it leaves the sip:provider CE. That way, chances of packet fragmentation are quite low, which reduces the risk of running into issues with low-cost SOHO routers at customer sides, which typically have problems with UDP packet fragmentation. The SIP B2BUA only binds to the system-internal network and listens on UDP port 5080 for SIP messages from the load-balancer or the proxy, on UDP port 5040 for control messages from the cli tool and on TCP port 8090 for XMLRPC connections from the OSSBSS to control the daemon. Its configuration files reside in /etc/ngcp-config/templates/etc/sems, and changes to these files are applied by executing ngcpcfg apply. Tip The SIP B2BUA can be controlled via the commands /etc/init.d/sems start, /etc/init.d/sems stop and / etc/init.d/sems restart. Its status can be queried by executing /etc/init.d/sems status SIP App-Server The SIP App-Server is an Asterisk instance used for voice applications like Voic and Reminder Calls. Asterisk uses the MySQL database as a message spool for voic , so it doesn t directly access the file system for user data. The voic plugin is a slightly patched version based on Asterisk 1.4 to make Asterisk aware of the sip:provider CE internal UUIDs for each subscriber. That way a SIP subscriber can have multiple E164 phone numbers, but all of them terminate in the same voicebox. The App-Server listens on the internal interface on UDP port 5070 for SIP messages and by default uses media ports in the range from UDP port to The configuration files reside in /etc/ngcp-config/templates/etc/asterisk, and changes to these files are applied by executing ngcpcfg apply. Tip The SIP App-Server can be controlled via the commands /etc/init.d/asterisk start, /etc/init.d/asteris k stop and /etc/init.d/asterisk restart. Its status can be queried by executing /etc/init.d/asterisk status Media Relay The Media Relay (also called mediaproxy-ng or mediaproxy) is a Kernel-based packet relay, which is controlled by the SIP proxy. For each media stream (e.g. a voice and/or video stream), it maintains a pair of ports in the range of port number to When the media streams are negotiated, mediaproxy opens the ports in user-space and starts relaying the packets to the addresses announced by the endpoints. If packets arrive from different source addresses than announced in the SDP body 6

13 The sip:provider CE Handbook / 84 of the SIP message (e.g. in case of NAT), the source address is implicitly changed to the address the packets are received from. Once the call is established and the mediaproxy has received media packets from both endpoints for this call, the media stream is pushed into the kernel and is then handled by a custom Sipwise iptables module to increase the throughput of the system and to reduce the latency of media packets. The mediaproxy internally listens on UDP port for control messages from the SIP proxy. For each media stream, it opens two pairs of UDP ports on the public interface in the range of and per default, one pair on odd port numbers for the media data, and one pair on the next even port numbers for meta data, e.g. RTCP in case of RTP streams. Each endpoint communicates with one dedicated port per media stream (opposed to some implementations which use one pair for both endpoints) to avoid issues in determining where to send a packet to. The mediaproxy also sets the QoS/ToS/DSCP field of each IP packet it sends to a configured value, 184 (0xB8, expedited forwarding) by default. The kernel-internal part of the mediaproxy is facilitated through an iptables module having the target name MEDIAPROXY. If any additional firewall or packet filtering rules are installed, it is imperative that this rule remains untouched and stays in place. Otherwise, if the rule is removed from iptables, the kernel will not be able to forward the media packets and forwarding will fall back to the user-space daemon. The packets will still be forwarded normally, but performance will be much worse under those circumstances, which will be especially noticeable when a lot of media streams are active concurrently. See the section on Firewalling for more information. The mediaproxy configuration file is /etc/ngcp-config/templates/etc/default/ngcp-mediaproxy-ng-dae mon, and changes to this file are applied by executing ngcpcfg apply. The UDP port range can be configured via the config.yml file under the section rtpproxy. The QoS/ToS value can be changed via the key qos.tos_rtp. Tip The Media Relay can be controlled via the commands /etc/init.d/ngcp-mediaproxy-ng-daemon start, / etc/init.d/ngcp-mediaproxy-ng-daemon stop and /etc/init.d/ngcp-mediaproxy-ng-daemon r estart. Its status can be queried by executing /etc/init.d/ngcp-mediaproxy-ng-daemon status 7

14 The sip:provider CE Handbook / Basic Call Flows Endpoint Registration Figure 3: Registration Call-Flow The subscriber endpoint starts sending a REGISTER request, which gets challenged by a 401. After calculating the response of the authentication challenge, it sends the REGISTER again, including the authentication response. The SIP proxy looks up the credentials of the subscriber in the database, does the same calculation, and if the result matches the one from the subscriber, the registration is granted. The SIP proxy writes the content of the Contact header (e.g. into its location table (in case of NAT the content is changed by the SIP load-balancer to the IP/port from where the request was received), so it knows where the reach a subscriber in case on an inbound call to this subscriber (e.g. is mapped to and sent out to this address). If NAT is detected, the SIP proxy sends a OPTION message to the registered contact every 30 seconds, in order to keep the NAT binding on the NAT device open. Otherwise, for subsequent calls to this contact, the sip:provider PRO wouldn t be able to reach the endpoint behind NAT (NAT devices usually drop a UDP binding after not receiving any traffic for ~30-60 seconds). 8

15 The sip:provider CE Handbook / 84 By default, a subscriber can register 5 contacts for an Address of Record (AoR, e.g. 9

16 The sip:provider CE Handbook / 84 10

17 The sip:provider CE Handbook / 84 Basic Call 11

18 The sip:provider CE Handbook / 84 The calling party sends an INVITE (e.g. via the SIP load-balancer to the SIP proxy. The proxy replies with an authorization challenge in the 407 response, and the calling party sends the INVITE again with authentication credentials. The SIP proxy checks if the called party is a local user. If it is, and if there is a registered contact found for this user, then (after various feature-related tasks for both the caller and the callee) the Request-URI is replaced by the URI of the registered contact (e.g. If it s not a local user but a numeric user, a proper PSTN gateway is being selected by the SIP proxy, and the Request-URI is rewritten accordingly (e.g :5060). Once the proxy has finished working through the call features of both parties involved and has selected the final destination for the call, and - optionally - has invoked the Media Relay for this call, the INVITE is sent to the SIP B2BUA. The B2BUA creates a new INVITE message from scratch (using a new Call-ID and a new From-Tag), copies only various and explicitly allowed SIP headers from the old message to the new one, filters out unwanted media capabilities from the SDP body (e.g. to force audio calls to use G.711 as a codec) and then sends the new message via the SIP load-balancer to the called party. SIP replies from the called party are passed through the elements back to the calling party (replacing various fields on the B2BUA to match the first call leg again). If a reply with an SDP body is received by the SIP proxy (e.g. a 183 or a 200), the Media Relay is invoked again to prepare the ports for the media stream. Once the 200 is routed from the called party to the calling party, the media stream is fully negotiated, and the endpoints can start sending traffic to each outer (either end-to-end or via the Media Relay). Upon reception of the 200, the SIP proxy writes a start record for the accounting process. The 200 is also acknowledged with an ACK message from the calling party to the called party, according to the SIP 3-way handshake. Either of the parties can tear down the media session at any time by sending a BYE, which is passed through to the other party. Once the BYE reaches the SIP proxy, it instructs the Media Relay to close the media ports, and it writes a stop record for accounting purposes. Both the start- and the stop-records are picked up by the mediator service in a regular interval and are converted into a Call Detail Record (CDR), which will be rated by the rate-o-mat process and can be billed to the calling party. Session Keep-Alive The SIP B2BUA acts as refresher for the Session-Timer mechanism as defined in RFC If the endpoints indicate support for the UPDATE method during call-setup, then the SIP B2BUA will use an UPDATE message if enabled per peer, domain or subscriber via Provisioning to check if the endpoints are still alive and responsive. Both endpoints can renegotiate the timer within a configurable range. All values can be tuned using the Admin Panel or the APIs using Peer-, Domain- and Subscriber- Preferences. Tip Keep in mind that the values being used in the signaling are always half the value being configured. So if you want to send a keep-alive every 300 seconds, you need to provision sst_expires to 600. If one of the endpoints doesn t respond to the keep-alive messages or answers with 481 Call/Transaction Does Not Exist, then the call is torn down on both sides. This mechanism prevents excessive over-billing of calls if one of the endpoints is not reachable anymore or "forgets" about the call. The BYE message sent by the B2BUA triggers a stop-record for accounting and also closes the media ports on the Media Relay to stop the call. 12

19 The sip:provider CE Handbook / 84 Beside the Session-Timer mechanism to prevent calls from being lost or kept open, there is a maximum call length of seconds per default defined in the B2BUA. This is a security/anti-fraud mechanism to prevent overly long calls causing excessive costs. Voicebox Calls Calls to the Voicebox (both for callers leaving a voic message and for voicebox owners managing it via the IVR menu) are passed directly from the SIP proxy to the App-Server without a B2BUA. The App-Server maintains its own timers, so there is no risk of over-billing or overly long calls. In such a case where an endpoint talks via the Media Relay to a system-internal endpoint, the Media Relay bridges the media streams between the public in the system-internal network. In case of an endpoint leaving a new message on the voicebox, the Message-Waiting-Indication (MWI) mechanism triggers the sending of a unsolicited NOTIFY message, passing the number of new messages in the body. As soon as the voicebox owner dials into his voicebox (e.g. by calling from his SIP account), another NOTIFY message is sent to his devices, resetting the number of new messages. 13

20 The sip:provider CE Handbook / 84 Important The sip:provider CE does not require your device to subscribe to the MWI service by sending a SUBSCRIBE (it would rather reject it). On the other hand, the endpoints need to accept unsolicited NOTIFY messages (that is, a NOTIFY without a valid subscription), otherwise the MWI service will not work with these endpoints. 14

21 The sip:provider CE Handbook / 84 3 Upgrading from previous versions 3.1 Upgrade from v2.7 to v2.8 The system upgrade from sip:provider CE v2.7 to 2.8 will perform a couple of tasks: 1. Migrate configuration system to a rolling release schema 2. Migrate database system to a rolling release schema 3. Upgrade NGCP software packages 4. Upgrade NGCP configuration templates 5. Upgrade base system within Debian 6.0 to latest package versions For upgrading the sip:provider CE from v2.7 to the latest 2.8 release, execute the following commands: sed -i s/2.7/2.8/ /etc/apt/sources.list.d/sipwise.list apt-get update apt-get install ngcp-upgrade-2.8-ce Run the upgrade script as root like this: ngcp-upgrade The upgrade script will ask you to confirm that you want to start. Read the given information carefully, and if you agree, proceed with y. The upgrade process will take several minutes, depending on your network connection and server performance. After everything has been updated successfully, it will finally ask you to reboot your system. Confirm to let the system reboot (it will boot with an updated kernel). Once up again, double-check your config file /etc/ngcp-config/config.yml (sections will be rearranged now and will contain more parameters) and your domain/subscriber/peer configuration and test the setup. You can find a backup of some important configuration files of your existing 2.7 installation under /var/backup/ngcp-2.8-* (where * is a place holder for a timestamp) in case you need to roll back something at any time. A log file of the upgrade procedure is available at /var/backup/ngcp-2.8-*/upgrade.log. 15

22 The sip:provider CE Handbook / 84 4 Initial Installation 4.1 Prerequisites For an initial installation of the sip:provider CE, it is mandatory that your production environment meets the following criteria: HARDWARE REQUIREMENTS Recommended: Dual-core, x86_64 compatible, 3GHz, 4GB RAM, 128GB HDD Minimum: Single-core, x86_64 compatible, 1GHz, 2GB RAM, 16GB HDD SUPPORTED OPERATING SYSTEMS Debian Squeeze (6.0) 64-bit INTERNET CONNECTION Hardware needs connection to the Internet Important Only Debian Squeeze (6.0) 64-bit is currently supported as a host system for the sip:provider CE. Important It is HIGHLY recommended that you use a dedicated server (either a physical or a virtual one) for sip:provider CE, because the installation process will wipe out existing MySQL databases and modify several system configurations. 4.2 Using the NGCP installer (recommended) Installing the Operating System You need to install Debian Squeeze (6.0) 64-bit on the server. A basic installation without any additional task selection (like Desktop System, Web Server etc.) is sufficient. Tip Sipwise recommends using the Netinstall ISO (md5sum) as installation medium. 16

23 The sip:provider CE Handbook / 84 Important If you use other kinds of installation media (e.g. provided by your hosting provider), prepare for some issues that might come up during installation. For example, you might be forced to manually resolve package dependencies in order to install the sip:provider CE. Therefore, it is HIGHLY RECOMMENDED to use a clean Debian installation to simplify the installation process. Using special Debian setups If you plan to install the sip:provider CE on Virtual Hosting Providers like Dreamhost with their provided Debian installer, you might need to manually prepare the system for the NGCP installation, otherwise the installer will fail installing certain package versions required to function properly. Using Dreamhost Virtual Private Server A Dreamhost virtual server uses apt-pinning and installs specific versions of MySQL and apache, so you need to clean this up beforehand. apt-get remove --purge mysql-common ndn-apache22 mv /etc/apt/preferences /etc/apt/preferences.bak apt-get update apt-get dist-upgrade Warning Be aware that this step will break your web-based system administration provided by Dreamhost. Only do it if you are certain that you won t need it Installing the sip:provider CE The sip:provider CE is based on the Sipwise NGCP, so download and install the Sipwise NGCP installer package: PKG=ngcp-installer-2.8.deb wget dpkg -i ${PKG} Run the installer as root user: ngcp-installer The installer will ask you to confirm that you want to start the installation. Read the given information carefully, and if you agree, proceed with y. The installation process will take several minutes, depending on your network connection and server performance. If everything goes well, the installer will (depending on the language you use), show something like this: 17

24 The sip:provider CE Handbook / 84 Installation finished. Thanks for choosing NGCP sip:provider Community Edition. During the installation, you can watch the background processing by executing the following command on a separate console: tail -f /tmp/ngcp-installer.log 4.3 Using a pre-installed virtual machine For quick test deployments, pre-installed virtualization images are provided. These images are intended to be used for quick test, not recommended for production use Vagrant box for VirtualBox Vagrant is an open-source software for creating and configuring virtual development environments. Sipwise provides a so called Vagrant base box for your service, to easily get direct access to your own sip:provider CE Virtual Machine without any hassles. Note The following software must be installed to use Vagrant boxes: VirtualBox v Vagrant v Get your copy of sip:provider CE by running: vagrant init spce-2.8 vagrant up As soon as the machine is up and ready you should have your local copy of sip:provider CE with the following benefits: all the software and database are automatically updated to the latest available version the system is configured to use your LAN IP address (received over DHCP) basic SIP credentials to make SIP-2-SIP calls out of the box are available Use the following command to access the terminal: vagrant ssh or login to Administrator web-interface at https:// :1443 (with default user administrator and password administrator). There are two ways to access VM resources, through NAT or Bridge interface: 18

26 The sip:provider CE Handbook / 84 Default SSH login is root and password is sipwise. SSH connection details can be displayed via: vagrant ssh-config You can download a Vagrant box for VirtualBox from here manually (checksums: sha1, md5) VirtualBox image You can download a VirtualBox image from here (checksums: sha1, md5). Once you have downloaded the file you can import it to VirtualBox via its import utility. The format of the image is ova. If you have VirtualBox 3.x running, which is not compatible with ova format, you need to extract the file with any tar compatible software and import the ovf file which is inside the archive. On Linux, you can do it like this: tar xvf sip_provider_ce_2.8_virtualbox.ova On Windows, right-click on the ova file, choose Open with and select WinZIP or WinRAR or any other application able to extract tar archives. Extract the files to any place and import the resulting ovf file in VirtualBox. Considerations when using this virtual machine: You will need a 64bit guest capable VirtualBox setup. The root password is sipwise You should use bridge mode networking (adjust your bridging interface in the virtual machine configuration) to avoid having the sip:provider CE behind NAT. You ll need to adjust your timezone and keyboard layout. The network configuration is set to DHCP. You ll need to change it to the appropriate static configuration. As the virtual image is a static file, it won t contain the most updated versions of our software. Please upgrade the system via apt as soon as you boot it for the first time VMware image You can download a VMware image from here (checksums: sha1, md5). Once you have downloaded the file just extract the zip file and copy its content to your virtual machines folder. Considerations when using this virtual machine: You will need a 64bit guest capable vmware setup. The root password is sipwise 20

27 The sip:provider CE Handbook / 84 You ll need to adjust your timezone and keyboard layout. The network configuration is set to DHCP. You ll need to change it to the appropriate static configuration. As the virtual image is a static file, it won t contain the most updated versions of our software. Please upgrade the system via apt as soon as you boot it for the first time. 5 Initial System Configuration After the installation went through successfully, you are ready to adapt the system parameters to your needs to make the system work properly. 5.1 Network Configuration If you have only one network card inside your system, its device name is eth0, it s configured and only IPV4 is important to you then there should be nothing to do for you at this stage. If multiple network cards are present, your network card does not use eth0 for its device name or you need IPv6 then the only parameter you need to change at this moment is the listening address for your SIP services. To do this, you have to specify the interface where your listening address is configured, which you can do with the following command (assuming your public interface is eth0): ngcp-network --set-interface=eth0 --ip=auto --netmask=auto ngcp-network --move-from=lo --move-to=eth0 --type=web_ext --type=sip_ext --type=rtp_ext -- type=ssh_ext If you want to enable IPv6 as well, you have to set the address on the proper interface as well, like this (assuming you have an IPv6 address fdda:5cc1:23:4:0:0:0:1f on interface eth0): ngcp-network --set-interface=eth0 --ipv6= fdda:5cc1:23:4:0:0:0:1f Tip Always use a full IPv6 address with 8 octets, leaving out zero octets (e.g. fdda:5cc1:23:4::1f) is not allowed. If you haven t fully configured your network interfaces, do this by adapting also the file /etc/network/interfaces: vim /etc/network/interfaces Add or adapt your interface configuration accordingly. For example, if you just want to use the system in your internal network /24, it could look something like this: auto lo iface lo inet loopback auto eth0 21

28 The sip:provider CE Handbook / 84 iface eth0 inet static address netmask gateway dns-nameservers dns-search yourdomain.com /etc/init.d/networking restart 5.2 Apply Configuration Changes In order to apply the changes you made to /etc/ngcp-config/config.yml, you need to execute the following command to re-generate your configuration files and to automatically restart the services: ngcpcfg apply Tip At this point, your system is ready to serve. 5.3 Start Securing Your Server During installation, the system user cdrexport is created. This jailed system account is supposed to be used to export CDR files via sftp/scp. Set a password for this user by executing the following command: passwd cdrexport The installer has set up a MySQL database on your server. You need to set a password for the MySQL root user to protect it from unauthorized access by executing this command: mysqladmin password <your mysql root password> For the Administrative Web Panel located at https://<your-server-ip>:1443/, a default user administrator with password administrator has been created. Connect to the panel (accept the SSL certificate for now) using those credentials and change the password of this user by going to System Administration Administrators and clicking edit. 5.4 Configuring the Server The NGCP installer will install mailx (which has Exim4 as MTA as a default dependency) on the system, however the MTA is not configured by the installer. If you want to use the Voic -to- feature of the Voicebox, you need to configure your MTA properly. If you are fine to use the default MTA Exim4, execute the following command: dpkg-reconfigure exim4-config 22

29 The sip:provider CE Handbook / 84 Depending on your mail setup in your environment (whether to use a smarthost or not), configure Exim accordingly. In the most simple setup, apply the following options when prompted for it: General type of mail configuration: internet site;mail is sent and received directly using SMTP System mail name: the FQDN of your server, e.g. ce.yourdomain.com IP-addresses to listen on for incoming SMTP connections: Other destinations for which mail is accepted: the FQDN of your server, e.g. ce.yourdomain.com Domains to relay mail for: leave empty Machines to relay mail for: leave empty Keep number of DNS-queries minimal (Dial-on-Demand)? No Delivery method for local mail: mbox format in /var/mail/ Split configuration into small files? No Important You are free to install and configure any other MTA (e.g. postfix) on the system, if you are more comfortable with that. 5.5 Advanced Network Configuration You have a typical test deployment now and you are good to go, however you may need to do extra configuration depending on the devices you are using and functionality you want to achieve Audiocodes devices workaround As reported by many users, Audiocodes devices suffer from a problem where they replace address in Record- Route headers (added by the sip:provider CE s internal components) with its own IP address. The problem has been reported to Audiocodes but as of end 2012 the fixed firmware is not available yet so supposedly the whole range of Audiocodes devices, including but not limited to the MP202, MP252 CPEs as well as Audiocodes media gateways, is malfunctioning. As a workaround, you may change the internal IP address from to some dummy network interface. Please execute the following command (in this example is a new internal IP address): ifconfig dummy netmask Adapt your /etc/network/interfaces file accordingly: auto dummy0 iface dummy0 inet static address netmask

30 The sip:provider CE Handbook / 84 Update the network configuration in the sip:provider CE: ngcp-network --set-interface=dummy0 --ip=auto --netmask=auto ngcp-network --move-from=lo --move-to=dummy0 --type=sip_int --type=web_int Refer to the Network Configuration chapter for more details about the ngcp-network tool. Apply configuration: ngcpcfg apply Extra SIP listening ports By default, the load-balancer in sip:provider CE listens on the UDP and TCP ports 5060 (kamailio lb port) and TLS port 5061 (kamailio lb tls port). Should you need to setup one or more extra non-standard listening ports in addition to those standard ports, please edit the kamailio lb extra_sockets option in your /etc/ngcp-config/config.yml file. The correct format consists of a label and value like this: extra_sockets: port_5064: udp: :5064 test: udp: :6060 The label is shown in outbound_socket peer preference (if you want to route calls to specific peer out via specific socket); the value must contain a transport specification as in example above (udp, tcp or tls). Important The media relay uses one main primary external IP address. You should make sure it is reachable to all of your subscribers and peers (or disable the media relay for subscribers by checking the never_use_rtpproxy preference if they have routable IP addresses) - refer to the Security and Maintenance chapter for more details on firewalling. Apply configuration: ngcpcfg apply 5.6 What s next? To test and use your installation, you need to follow these steps now: 1. Create a SIP domain 2. Create some SIP subscribers 3. Register SIP endpoints to the system 4. Make local calls and test subscriber features 24

31 The sip:provider CE Handbook / Establish a SIP peering to make PSTN calls Please read the next chapter for instructions on how to do this. 25

32 The sip:provider CE Handbook / 84 6 Administrative Configuration To be able to configure your first test clients, you will need a SIP domain and some subscribers in this domain. Throughout this steps, let s assume you re running the NGCP on the IP address , and you want this IP to be used as SIP domain. This means that your subscribers will have an URI like Tip You can of course set up a DNS name for your IP address (e.g. letting sip.yourdomain.com point to ) and use this DNS name throughout the next steps, but we ll keep it simple and stick directly with the IP as a SIP domain for now. Warning Once you started adding subscribers to a SIP domain, and later decide to change the domain, e.g. from to sip.yourdomain.com, you ll need to recreate all your subscribers in this new domain. It s currently not possible to easily change the domain part of a subscriber. Go to the Administrative Web Panel (Admin Panel) running on https://<ce-ip>:1443/ and follow the steps below. The default user on the system is administrator with the password administrator, if you haven t changed it already in [?simpara]. 6.1 Creating Domains Go to System Administration Domains. You ll see a form Create Domain, where you have to provide the name of your SIP domain. In our example we ll put in there and click add. The newly created domain now shows up under Edit Domains. If you also use IPv6 and you want to use this address as a domain (opposed to creating an AAAA record for it), put it there as well and enclose it by square brackets, e.g. [fdda:5cc1:23:4::1f]. 26

33 The sip:provider CE Handbook / 84 Tip You will most likely want to assign Rewrite Rule Set to your domain via Preferences tab. The usage of Rewrite Rule Sets is explained in Section Creating Accounts An account on the NGCP is a billing container, which contains one or more subscribers for a customer. In this billing container, you can define which Billing Profile is used for calls being placed by the subscribers of this account. To create a new account, go to User Administration Accounts and click Create new account. For our first tests, we will use the default values, so just click Save. 27

34 The sip:provider CE Handbook / 84 You will be presented with an overview of the new account, showing basic Account Information, the Account Balance (which will only get relevant when you start using your own Billing Profile) and the list of Subscribers for this account, which is currently empty. 28

35 The sip:provider CE Handbook / Creating Subscribers In the Subscribers section at the bottom of the account information for the account you created before, click create new to create a new subscriber for this account. You will be presented with the Master Data form, where you have to fill in the following options: web username: This is the user part of the username the subscriber may use to log into her Customer Self Care Interface. The user part will be automatically suffixed by the SIP domain you choose for the SIP URI. Usually the web username is identical to the SIP URI, but you may choose a different naming schema. Caution The web username needs to be unique. The system will return a fault if you try to use the same web username twice. web password: This is the password for the subscriber to log into her Customer Self Care Interface. It must be at least 6 characters long. E.164 number: This is the telephone number mapped to the subscriber, separated into Country Code (CC), Area Code (AC) and Subscriber Number (SN). For the first tests, you can set a made-up number here and change it later when you get number blocks assigned by your PSTN interconnect partner. So in our example, we ll use 43 as CC, 99 as AC and 1001 as SN to form the phantasy number Tip This number can actually be used to place calls between local subscribers, even if you don t have any PSTN interconnection. This comes in handy if you use phones instead of soft-clients for your tests. The format in which this number can be dialled so the subscriber is reached is defined in Section 6.5. Important NGCP allows single subscriber to have multiple E.164 numbers to be used as aliases for receiving incoming calls. Also NGCP supports "implied" extensions, e.g. if a subscriber has number , but somebody calls , then it first tries to send the call to number (even though the user is registered as myusername), and only after 404 it falls back to the user-part for which the user is registered. Tip The interface ensures that any numbers entered conform to the local numbering plan. The numbering plan is defined by a set of three regular expressions, which can be found and edited in config.yml under the key ossbss.provisioning. routing. The defaults should work for most setups, but under some circumstances (e.g. there are no area codes) it may be necessary to customize these. SIP URI: Insert the user part of the URI into the first field (e.g. user1) and select the domain you want to put this subscriber into in the drop-down. 29

36 The sip:provider CE Handbook / 84 Caution With the default system settings, the user part has to have at least one alphabetic character, so it s not possible by default to just use a number here. To allow that, on the console set ossbss provisioning allow_numeric_usernames to 1 in /etc/ngcp-config/config.yml and execute the command ngcpcfg apply. If you want for example to set a numeric customer id as the SIP user, make sure it does not overlap with actual phone numbers, otherwise these calls will be routed to the SIP user instead of the phone number. SIP password: The password of your subscriber to authenticate on the SIP proxy. It must be at least 6 characters long. administrative: If you have multiple subscribers in one account and set this option for one of them, this subscriber can administrate other subscribers via the Customer Self Care Interface. Click Save to create the subscriber. You will be presented with a status overview of the subscriber, showing the Active Device Registration (your clients registered on the system using this subscriber) and your Active Peer Registration (the registration of this subscriber at a remote peer, done by the system in behalf of the user; this is useful if your sip:provider CE is acting as an SBC in front of another soft-switch; this scenario will be covered in Section 7). 30

37 The sip:provider CE Handbook / 84 Repeat the creation of accounts and subscribers for all your test accounts. You should have at least 3 subscribers to test all the functionality of the NGCP. Tip At this point, you re able to register your subscribers to the NGCP and place calls between these subscribers. You should now revise the subscriber Preferences, in particular the CLI options that control what is used as user-provided and network-provided calling numbers. Click the tab Preferences in the top horizontal menu to reach this view. 31

38 The sip:provider CE Handbook / 84 For outgoing calls, you may define multiple numbers or patterns to control what a subscriber is allowed to send as user-provided calling numbers using the allowed_clis preference. If allowed_clis does not match the number sent by the subscriber, then the number configured in cli (the network-provided number) preference will be used as user-provided calling number also. You can override any user-provided number coming from the subscriber using the user_cli preference. In this example, we click on the Edit button next to the allowed_clis preference and allow all numbers starting with as well as the number

39 The sip:provider CE Handbook / Creating Peerings If you want to terminate calls at or allow calls from 3 rd party systems (e.g. PSTN gateways, SIP trunks), you need to create SIP peerings for that. To do so, go to System Administration SIP Peerings. There you can add peering groups, and for each peering group add peering servers. Every peering group needs a peering contract for correct interconnection billing Creating Peering Contracts In order to create peering groups, you must create at least one peering contract. It defines, which billing profile is going to be used for calls to the corresponding peering groups. In this example, we will use the Default Billing Profile, because we haven t set up proper profiles yet. In the SIP Peering Contracts section, click create new to add a peering contract. 33

40 The sip:provider CE Handbook / 84 You will be presented with a form to set the billing profile and some contact details for the contract. To create a very basic dummy profile, we will set the following values: billing profile: Default Billing Profile First Name: leave empty Last Name: leave empty Company: leave empty Click Save to store the peering contract. 34

41 The sip:provider CE Handbook / Creating Peering Groups In System Administration SIP Peerings, create a new peering group in the section Create Peering Group. You will usually have one peering group per carrier you re planning to send traffic to and receive traffic from. We will create a test group using the peering contract added before: Name: test group Priority: 1 Description: peering to a test carrier Peering Contract: select the id of the contract created before 35

42 The sip:provider CE Handbook / 84 Then click add to create the group Creating Peering Servers In the group created before, you need to add peering servers to route calls to and receive calls from. To do so, click on the Name of your created group in the section SIP Peering Groups. 36

43 The sip:provider CE Handbook / 84 Then add your first peering server in the section Peering Servers. In this example, we will create a peering server with IP and port 5060: Name: test-gw-1 IP Address: Hostname: leave empty Port: 5060 Protocol: UDP Weight: 1 Then click add to create the peering server. Tip The hostname field for a peering server is optional. Usually, the IP address of the peer is used as domain part in the Request URI. Some peers may require you to set a particular hostname instead of the IP address there, which can be done by filling in this field. The IP address must always be given though, and the request will always be sent to the IP address, no matter what you put into the hostname field. Tip If you want to add a peering server with an IPv6 address, enter the address without surrounding square brackets into the IP Address column, e.g. ::1. 37

44 The sip:provider CE Handbook / 84 You will now see an additional section Peering Rules after your list of peering servers. There you have to define which numbers to route via this peering group. Important If you do not add at least one peering rule to your group, the servers in this group will NOT be used for outbound calls. The NGCP will however allow inbound calls from the servers in this group even without peering rules. Since the previously created peering group will be the only one in our example, we have to add a default rule to route all calls via this group. To do so, create a new peering rule with the following values: Callee Prefix: leave empty Callee Pattern: leave empty Caller Pattern: leave empty Description: Default Rule Then click add to add the rule to your group. 38

45 The sip:provider CE Handbook / 84 Tip If you set the caller or callee rules to refine what is routed via this peer, enter all phone numbers in full E.164 format, that is <cc><ac><sn>. TIP: The Caller Pattern field covers the whole URI including the subscriber domain, so you can only allow certain domains over this peer by putting for into this field. Important The selection of peering servers for outbound calls is done in the following order: 1. length of the matching peering rules for a call. 2. priority of the peering group. 3. weight of the peering servers in the selected peering group. After one or more peering group(s) is matched for an outbound call, all servers in this group are tried, according to their weight (lower weight has more precedence). If a peering server replies with SIP codes 408, 500 or 503, or if a peering server doesn t respond at all, the next peering server in the current peering group is used as a fallback, one after the other until the call succeeds. If no more servers are left in the current peering group, the next group which matches the peering rules is going to be used Authenticating and Registering against Peering Servers Proxy-Authentication for outbound calls If a peering server requires the SPCE to authenticate for outbound calls (by sending a 407 as response to an INVITE), then you have to configure the authentication details in the Preferences tab of your peer host. To do so, click Edit and for example provide the following values: peer_auth_user: <username for peer auth> 39

46 The sip:provider CE Handbook / 84 peer_auth_pass: <password for peer auth> peer_auth_realm: <domain for peer auth> Important If you do NOT authenticate against a peer host, then the caller CLI is put into the From and P-Asserted-Ide ntity headers, e.g. " " If you DO authenticate, then the From header is " " and the P- Asserted-Identity header is as usual like So for presenting the correct CLI in CLIP no screening scenarios, your peering provider needs to extract the correct user either from the From Display-Name or from the P-Asserted-Identity URI-User. Tip You will notice that these three preferences are also shown in the Subscriber Preferences for each subscriber. There you can override the authentication details for all peer host if needed, e.g. if every user authenticates with his own separate credentials at your peering provider. Registering at a Peering Server Unfortunately, the credentials configured above are not yet automatically used to register the SPCE at your peer hosts. There is however an easy manual way to do so, until this is addressed. Configure your peering servers with the corresponding credentials in /etc/ngcp-config/templates/etc/sems/etc/reg_agent.conf.tt2, then execute ngcpcfg apply. 40

47 The sip:provider CE Handbook / 84 Important Be aware that this will force SEMS to restart, which will drop all calls. 6.5 Configuring Rewrite Rule Sets Important On the NGCP, every phone number is treated in E.164 format <country code><area code><subscriber number>. Rewrite Rule Sets is a flexible tool to translate the caller and callee numbers to the proper format before the routing lookup and after the routing lookup separately. The created Rewrite Rule Sets can be assigned to the domains, subscribers and peers as a preference. You would normally begin with creating a Rewrite Rule Set for your SIP domains. This is used to control what an end user can dial for outbound calls, and what is displayed as the calling party on inbound calls. The subscribers within a domain inherit Rewrite Rule Sets of that domain, unless this is overridden by a subscriber Rewrite Rule Set preference. To create a new Rewrite Rule Set, go to System Administration Rewrite Rule Sets. There you can create a Set identified by a name. This name is later shown in your peer-, domain- and user-preferences where you can select the rule set you want to use. Click Add, and then on the link of the Rewrite Rule Set name to define the rules for this set. 41

48 The sip:provider CE Handbook / 84 Tip In Europe, the following formats are widely accepted: +<cc><ac><sn>, 00<cc><ac><sn> and 0<ac><sn>. Also, some countries allow the areacode-internal calls where only subscriber number is dialed to reach another number in the same area. Within this section, we will use these formats to show how to use rewrite rules to normalize and denormalize number formats Inbound Rewrite Rules for Caller These rules are used to normalize user-provided numbers (e.g. passed in From Display Name or P-Preferred-Identity headers) into E.164 format. In our example, we ll normalize the three different formats mentioned above into E.164 format. STRIP LEADING 00 OR + Match Pattern: ˆ(00 \+)([1-9][0-9]+)$ Replacement Pattern: \2 Description: International to E.164 REPLACE 0 BY CALLER S COUNTRY CODE: Match Pattern: ˆ0([1-9][0-9]+)$ Replacement Pattern: ${caller_cc}\1 Description: National to E.164 NORMALIZE LOCAL CALLS: Match Pattern: ˆ([1-9][0-9]+)$ Replacement Pattern: ${caller_cc}${caller_ac}\1 Description: Local to E.164 Normalization for national and local calls is possible with special variables ${caller_cc} and ${caller_ac} that can be used in Replacement Pattern and are substituted by the country and area code accordingly during the call routing. Important These variables are only being filled in when a call originates from a subscriber (because only then the cc/ac information is known by the system), so you can not use them when a calls comes from a SIP peer (the variables will be just empty in this case). Tip When routing a call, the rewrite processing is stopped after the first match of a rule, starting from top to bottom. If you have two rules (e.g. a generic one and a more specific one), where both of them would match some numbers, drag&drop the rules into the appropriate order. 42

49 The sip:provider CE Handbook / Inbound Rewrite Rules for Callee These rules are used to rewrite the number the end user dials to place a call to a standard format for routing lookup. In our example, we again allow the three different formats mentioned above and again normalize them to E.164, so we put in the same rules as for the caller. STRIP LEADING 00 OR + Match Pattern: ˆ(00 \+)([1-9][0-9]+)$ Replacement Pattern: \2 Description: International to E.164 REPLACE 0 BY CALLER S COUNTRY CODE: Match Pattern: ˆ0([1-9][0-9]+)$ Replacement Pattern: ${caller_cc}\1 Description: National to E.164 NORMALIZE AREACODE-INTERNAL CALLS: Match Pattern: ˆ([1-9][0-9]+)$ Replacement Pattern: ${caller_cc}${caller_ac}\1 43

50 The sip:provider CE Handbook / 84 Description: Local to E.164 Tip Our provided rules will only match if the caller dials a numeric number. If he dials an alphanumeric SIP URI, none of our rules will match and no rewriting will be done. You can however define rules for that as well. For example, you could allow your end users to dial support and rewrite that to your support hotline using the match pattern ˆsupport$ and the replace pattern or whatever your support hotline number is Outbound Rewrite Rules for Caller These rules are used to rewrite the calling party number for a call to an end user. For example, if you want the device of your end user to show 0<ac><sn> if a national number calls this user, and 00<cc><ac><sn> if an international number calls, put the following rules there. REPLACE AUSTRIAN COUNTRY CODE 43 BY 0 Match Pattern: ˆ43([1-9][0-9]+)$ Replacement Pattern: 0\1 Description: E.164 to Austria National PREFIX 00 FOR INTERNATIONAL CALLER Match Pattern: ˆ([1-9][0-9]+)$ Replacement Pattern: 00\1 Description: E.164 to International Tip Note that both of the rules would match a number starting with 43, so drag&drop the national rule to be above the international one (if it s not already the case) Outbound Rewrite Rules for Callee These rules are used to rewrite the called party number immediately before sending out the call on the network. This gives you an extra flexibility by controlling the way request appears on a wire, when your SBC or other device expects the called party number to have a particular tech-prefix. It can be used on calls to end users too if you want to do some processing in intermediate SIP device, e.g. apply legal intercept selectively to some subscribers. PREFIX S I P S P# FOR ALL CALLS Match Pattern: ˆ([0-9]+)$ 44

51 The sip:provider CE Handbook / 84 Replacement Pattern: sipsp#\1 Description: Intercept this call Emergency Number Handling Configuring Emergency Numbers is also done via Rewrite Rules. For Emergency Calls from a subscriber to the platform, you need to define an Inbound Rewrite Rule For Callee, which adds a prefix emergency_ to the number (and can rewrite the number completely as well at the same time). If the proxy detects a call to a SIP URI starting with emergency_, it will enter a special routing logic bypassing various checks which might make a normal call fail (e.g. due to locked or blocked numbers, insufficient credits or exceeding the max. amount of parallel calls). TAG AN EMERGENCY CALL Match Pattern: ˆ( )$ Replacement Pattern: emergency_\1 Description: Tag Emergency Numbers To route an Emergency Call to a Peer, you can select a specific peering group by adding a peering rule with a callee prefix set to emergency_ to a peering group. In order to normalize the emergency number to a valid format accepted by the peer, you need to assign an Outbound Rewrite Rule For Callee, which strips off the emergency_ prefix. You can also use the variables ${caller_emergency_cli}, ${cal ler_emergency_prefix} and ${caller_emergency_suffix} as well as ${caller_ac} and ${caller_cc}, which are all configurable per subscriber to rewrite the number into a valid format. NORMALIZE EMERGENCY CALL FOR PEER Match Pattern: ˆemergency_(.+)$ Replacement Pattern: ${caller_emergency_prefix}${caller_ac}\1 Description: Normalize Emergency Numbers Assigning Rewrite Rule Sets to Domains and Subscribers Once you have finished to define your Rewrite Rule Sets, you need to assign them. For sets to be used for subscribers, you can assign them to their corresponding domain, which then acts as default set for all subscribers. To do so, go to System Administration Domains and click on the domain name you want the set to assign to. Click on Edit and select the Rewrite Rule Set created before. 45

52 The sip:provider CE Handbook / 84 You can do the same in the Preferences tab of your subscribers. That way, you can finely control down to an individual user the dial-plan to be used Creating Dialplans for Peering Servers For each peering server, you can use one of the Rewrite Rule Sets that was created previously as explained in Section 6.5 (keep in mind that special variables ${caller_ac} and ${caller_cc} can not be used when the call comes from a peer). To do so, click on the name of the peering server, look for the preference called Rewrite Rule Sets. If your peering servers don t send numbers in E.164 format <cc><ac><sn>, you need to create Inbound Rewrite Rules for each peering server to normalize the numbers for caller and callee to this format, e.g. by stripping leading + or put them from national into E.164 format. Likewise, if your peering servers don t accept this format, you need to create Outbound Rewrite Rules for each of them, for example to append a + to the numbers. 46

53 The sip:provider CE Handbook / 84 7 Advanced Subscriber Configuration The sip:provider CE provides a large amount of subscriber features in order to offer compelling VoIP services to end customers, and also to cover as many deployment scenarios as possible. In this chapter, we will go over the features and describe their behavior and their use cases. 7.1 Access Control for SIP Calls There are two different methods to provide fine-grained call admission control to both subscribers and admins. One is Block Lists, where you can define which numbers or patterns can be called from a subscriber to outbound direction and which numbers or patterns are allowed to call a subscriber in inbound direction. The other is NCOS Levels, where the admin predefines rules for outbound calls, which are grouped in certain levels. The user can then just choose the level, or the admin can restrict a user to a certain level. Also sip:provider CE offers some options to restrict the IP addresses that subscriber is allowed to use the service from. The following chapters will discuss these features in detail Block Lists Block Lists provide a way to control which users/numbers are able to call or to be called, based on a subscriber level. Block Lists are separated into Administrative Block Lists (adm_block_*) and Subscriber Block Lists (block_*). They both have the same behavior, but Administrative Block Lists take higher precedence. Administrative Block Lists are only accessible by the system administrator and can thus be used to override any Subscriber Block Lists, e.g. to block certain destinations. The following break-down of the various block features apply to both types of lists. 47

54 The sip:provider CE Handbook / 84 Block Modes Block lists can either be whitelists or blacklists and are controlled by the User Preferences block_in_mode, block_outmode and their administrative counterparts. The blacklist mode tells the system to allow anything except the entries in the list. This mode is used if you want to just block certain numbers and allow all the rest. The whitelist mode indicates to reject anything except the entries in the list. This is used if you want to enforce a strict policy and allow only selected destinations or sources. You can change a list mode from one to the other at any time. Block Lists The list contents are controlled by the User Preferences block_in_list, block_out_list and their administrative counterparts. Click on the Edit button in the User Preferences view to define the list entries. In block list entries, you can provide shell patterns like * and []. The behavior of the list is controlled by the block_xxx_mode feature (so they are either allowed or rejected). In our example above we have block_out_mode set to blacklist, so all calls to US numbers and to the Austrian number are going to be rejected. Block Anonymous Numbers For incoming call, the User Preference block_in_clir and adm_block_in_clir controls whether or not to reject incoming calls with number supression (either "[Aa]nonymous" in the display- or user-part of the From-URI or a header Privacy: id is set). This flag is 48

55 The sip:provider CE Handbook / 84 independent from the Block Mode NCOS Levels NCOS Levels provide predefined lists of allowed or denied destinations for outbound calls of local subscribers. Compared to Block Lists, they are much easier to manage, because they are defined on a global scope, and the individual levels can then be assigned to each subscriber. Again there is the distinction for user- and administrative-levels. NCOS levels can either be whitelists or blacklists. The blacklist mode indicates to allow everything except the entries in this level. This mode is used if you want to just block certain destinations and allow all the rest. The whitelist mode indicates to reject anything except the entries in this level. This is used if you want to enforce a strict policy and allow only selected destinations. Creating NCOS Levels To create an NCOS Level, go to Number Management NCOS. Enter a name, select the mode and add a description, then click the Add button. Creating Rules per NCOS Level To define the rules within the newly created NCOS Level, click on the name of the level. 49

56 The sip:provider CE Handbook / 84 In the Number Patterns section you can enter multiple patterns to define your level, one after the other. In this example, we block (since the mode of the level is blacklist) all numbers starting with 439. Click the Add button to save the entry in the level. The option include local area code in list for a blacklist means that calls within the area code of the subscribers are denied, and for whitelist that they are allowed, respectively. For example if a subscriber has country-code 43 and area-code 1, then selecting this checkbox would result in an implicit entry ˆ

57 The sip:provider CE Handbook / 84 Assigning NCOS Levels to Subscribers/Domains Once you ve defined your NCOS Levels, you can assign them to local subscribers. To do so, navigate to User Administration Subscribers, search for the subscriber you want to edit, go to the Preferences Tab and press the Edit button. Navigate down to the ncos and adm_ncos preference drop-downs and select your NCOS Level. Navigate further down to the end of the preference list and press the Save button. You can assign the NCOS level to all subscribers within a particular domain. To do so, navigate to System Administration Subscribers, select domain you want to edit, go to the Preferences Tab and press the Edit button. Select your NCOS Level in the ncos or adm_ncos preference drop-down. Press the Save button. Note: if both domain and subscriber have same NCOS preference set (either ncos or adm_ncos, or both) the subscriber s preference is used. This is done so that you can override the domain-global setting on the subscriber level IP Address Restriction The sip:provider CE provides subscriber preference allowed_ips to restrict the IP addresses that subscriber is allowed to use the service from. If the REGISTER or INVITE request comes from an IP address that is not in the allowed list, the sip:provider CE will reject it with a 403 message. Also a voice message can be played when the call attempt is rejected (if configured). 51

58 The sip:provider CE Handbook / 84 By default, allowed_ips is an empty list which means that subscriber is not restricted. If you want to configure a restriction, navigate to User Administration Subscribers, search for the subscriber you want to edit, go to the Preferences Tab and scroll down to the allowed_ips preference. Press the Edit button to the right of empty drop-down list. You can enter multiple allowed IP addresses or IP address ranges one after another. Click the Add button to save each entry in the list. Click the Delete button if you want to remove some entry. 7.2 Call Forwarding and Call Hunting The sip:provider CE provides the capabilities for normal call forwarding (deflecting a call for a local subscriber to another party immediately or based on events like the called party being busy or doesn t answer the phone for a certain number of seconds) and serial call hunting (sequentially executing a group of deflection targets until one of them succeeds). Targets can be stacked, which means if a target is also a local subscriber, it can have another call forward or hunt group which is executed accordingly. Call Forwards and Call Hunting Groups can either be executed unconditionally or based on a Time Set Definition, so you can define deflections based on time period definitions (e.g. Monday to Friday 8am to 4pm etc). 52

59 The sip:provider CE Handbook / Defining Destination Sets A Call Forward is always based on a Destination Set, which contains one (for normal Call Forwards) or more (for Hunt Groups) destinations. To define a Destination Set, go to the Preferences Tab of a subscriber and click on the Edit Destination Sets button in the Call Forwards section. You can create a Destination Set by setting a name for the set and press the Add button. Once you created your destination set, you can add destinations to it. Select either one of the internal services (Voicebox, Fax2Mail if available, Conferencing) or define a number or SIP URI. You can also define how long to try this destination (which is important for Hunt Groups if you want to let a destination only ring for a certain amount of seconds). Click the Add button once you are done to save the destination. 53

60 The sip:provider CE Handbook / 84 If you want to add more destinations for a Destination Set in order to create a Hunt Group, click the Edit button of the Destination Set. To rearrange the order of the destinations within a Destination Set, just drag&drop the entries to the proper position. 54

61 The sip:provider CE Handbook / 84 You can define multiple destination sets to be used for different types of forwards (unconditional, busy etc.) and for different Time Sets (using one Destination Set during office hours and else another one) Activating a Destination Set In order to activate a Destination Set to be used always (that is, without a Time Set constraint), go back to your Call Forwards section in the Preferences view and select the Destination Set you want to use for the particular scenario, then press the Add button. Since no Time Sets have been defined yet, you can only select always for the period option Defining Time Sets To define certain time periods in which a Destination Set should be active, click on the Edit Time Sets button in the Call Forwards section. 55

62 The sip:provider CE Handbook / 84 Like with Destination Sets, you can create multiple Time Sets to be used for different scenarios, and you can assign multiple Time Sets to a specific Call Forward. To create a Time Set, just provide a name and click the Add button. Once the Time Set is created, you can add Time Period Definitions. To do so, drag&drop the building blocks from the top into the slots of your Time Set. Important The ranges mean from through to, so an hour range means from start of hour 8 to end of hour 17, which is 08:00:00-17:59:59. Also note that ranges wrap around nicely, so an hour range definition works perfectly fine. To define a more complex period definition which defines after-office-hours (Mo-Fri from 00:00 to 08:29 and from 18:00-00:00, and Sat-Sun the whole day), you need three different rules as shown in the figure below: 56

63 The sip:provider CE Handbook / 84 The first row defines the weekend, which is the whole Saturday and Sunday. The second row defines the time on Weekdays (Mon-Fri) from 18:00 to 07:59 (again remember the meaning through). The last row defines the half hour on Weekdays (Mon-Fri) from 08:00 to 08:29. Once you ve defined a row, click the Add button next to the row. If you want to add more rows to a Time Set, just click the Edit button next to the Time Set Name Assigning a Time Set to a Call Forward To use a previously defined Time Set, go back to the Call Forward section of the Preferences view and select it from the drop-down of the appropriate scenario, along with a Destination Set. If you already use a Destination Set, click the Edit button to add a Time Set for this scenario. Note that you can add multiple rows per scenario. For our after office hours example above, we can add a new Time Set called public holidays, which defines all public holidays where your office is closed, then add both of them for the Call Forward Unconditional scenario, like this: 57

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server Quick Start Guide October 2013 Copyright and Legal Notice. All rights reserved. No part of this document may be

Introduction 1 7 Introduction Teleport-Video SD image is based on Asterisk and FreePBX running on the Raspberry Pi. For any information related to Raspberry Pi, check the original website at raspberrypi.org.

Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

Vega 100G and Vega 200G Gamma Config Guide This document aims to go through the steps necessary to configure the Vega SBC to be used with a Gamma SIP Trunk. When a SIP trunk is provisioned by Gamma a list

GRAVITYZONE HERE Deployment Guide VLE Environment LEGAL NOTICE All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including

VMware Identity Manager Connector Installation and Configuration VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until the document

Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks

Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure

nexvortex Setup Guide CISCO UC500 March 2012 Introduction This document is intended only for nexvortex customers and resellers as an aid to setting up the Cisco PBX software to connect to the nexvortex

Fasthosts Customer Support Plesk 11 Manual This guide covers everything you need to know in order to get started with the Parallels Plesk 11 control panel. Contents Introduction... 3 Before you begin...

Asterisk SIP Trunk Settings - Vestalink Vestalink is a new SIP trunk provider that has sprung up as a replacement for Google Voice trunking within Asterisk servers. They offer a very attractive pricing

VMware vcenter Log Insight Getting Started Guide vcenter Log Insight 1.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by

The Virtual Appliance includes the same powerful technology and simple Web based user interface found on the Barracuda Web Application Firewall hardware appliance. It is designed for easy deployment on

Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment

User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

Setting up pfsense as a Stateful Bridging Firewall. Contents Contents Setting up pfsense as a Stateful Bridging Firewall.... 1 What king of system these directions will try and help you create.... 1 Selecting

Virtual Managment Appliance Setup Guide 2 Sophos Installing a Virtual Appliance Installing a Virtual Appliance As an alternative to the hardware-based version of the Sophos Web Appliance, you can deploy

61200796L1-29.4E July 2011 Configuration Guide Configuring for the NetVanta 7000 Series This configuration guide describes the configuration and implementation of Session Initiation Protocol (SIP) trunking

User Guide CTERA Portal Datacenter Edition September 2011 Version 3.0 Copyright 2009-2011 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means

F-SECURE MESSAGING SECURITY GATEWAY DEFAULT SETUP GUIDE This guide describes how to set up and configure the F-Secure Messaging Security Gateway appliance in a basic e-mail server environment. AN EXAMPLE

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see

SJ Labs, Inc. 2005 All rights reserved SJphone is a registered trademark. No part of this document may be copied, altered, or transferred to, any other media without written, explicit consent from SJ Labs

The Barracuda SSL VPN Vx Virtual Appliance includes the same powerful technology and simple Web based user interface found on the Barracuda SSL VPN hardware appliance. It is designed for easy deployment

October 14 Time Warner ITSP Setup Guide Author: Zultys Technical Support This configuration guide was created to assist knowledgeable vendors with configuring the Zultys MX Phone System with Time Warner

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment) N.B. Goto MyIC Preferences in the System Toolbar. Description: this may be any appropriate description of the

CIS Networking Installing Ubuntu Server on Windows hyper-v Much of this information was stolen from http://www.isummation.com/blog/installing-ubuntu-server-1104-64bit-on-hyper-v/ Create a virtual machine

The feature allows embedded messages of the Session Initiation Protocol (SIP) passing through a device that is configured with Network Address Translation (NAT) to be translated and encoded back to the

TANDBERG MANAGEMENT SUITE 10.0 Installation Manual Getting Started D12786 Rev.16 This document is not to be reproduced in whole or in part without permission in writing from: Contents INTRODUCTION 3 REQUIREMENTS